There are still many questions about Meltdown and Spectre, so we thought we would address ten of the more common questions and concerns in the market.The goal of this article is not to dissuade the reader or imply that the Meltdown and Spectre vulnerabilities are not something that should be addressed, but instead, provide you with essential details that will help them make the educated decisions that need to be made about their specific environment.
What we have found is that there is not one cut-and-dry answer, as no two environments are the same. What this means is that there is no website you can go to that is going to tell anyone what the "best practice" for addressing these potential vulnerabilities. Though we have found some excellent and in-depth articles describing the details of the vulnerabilities, most articles simple tell you to apply the vendor patches. While this is currently the recommended approach, it is imperative to get as much information as possible before deploying any of these patches, as they have all had some repercussion.
1. Is the sky falling? Should I panic? I heard about this on the news. It must be serious, right?
The only people who should be panicking right now are the folks who run Azure and AWS. All kidding aside, there is no reason for most IT professionals to be panicking and rushing to address this vulnerability. We are not saying that it should not be addressed, but as I mentioned above, gather information, and prepare a plan to address the situation in your unique environment.
2. What makes my environment unique?
So what makes your environment unique and different from every other IT infrastructure? Well, a lot of things actually:
- The antivirus/security software that you use
- The Operating System used on client and server hardware
- The client and server hardware
- Change management and testing procedures
- Methods for managing client and server hardware
3. Do I have to upgrade my firmware?
Yes. To patch the Spectre Vulnerability, you need to update the firmware of your device. But ensure that you do research and get guidance from your manufacturer.
"Customers who only install the Windows January 2018 security updates will not receive the benefit of all known protections against the vulnerabilities. In addition to installing the January security updates, a processor microcode, or firmware, requires an update. These are available through your device manufacturer."
4. Should I deploy the Windows update to AMD machines?
You might have heard that Microsoft pulled back their patches for AMD machines. The initial version of the patch that Microsoft released caused many devices to bluescreen. According to Microsoft:
"As of January 18, 2018, Microsoft has resumed updating all AMD devices with the Windows operating system security update to help protect against the chipset vulnerabilities known as Spectre and Meltdown."
5. I heard about Intel devices rebooting. What's going on?
On Jan 22nd, 2018, Intel updated their recommendations:
"We recommend that OEMs, Cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions on the below platforms, as they may introduce higher than expected reboots and other unpredictable system behavior."
So what this means is that Intel is recommending that we stop installing any version of the firmware updates that were released before January 22, 2018, as a method of remediating Spectre vulnerabilities. Our current advice is to stop patching intel based firmware and to check this link frequently for updated information.
6. What performance impact should I expect?
The folks at Microsoft have been kind enough to do some basic performance tests, and the high-level results are below:
- Windows 10 machines with Skylake, Kabylake or newer CPU's only see a performance impact measured in milliseconds. Most users won't notice.
- Windows 10 machines with older CPU's were affected more significantly. Users will likely notice the performance degradation.
- Windows 8/7 machines on Haswell or older CPU's will likely notice performance degradation.
For more info check out this post.
7. Why do I need to worry about my AV?
Microsoft defined a registry key that needs to be set by Antivirus vendors when the Antivirus software has been tested and validated. Because of this, if the patch is installed on a machine with an unsupported antivirus, it has been known to cause computers to BSOD.
There have been reported issues with SEP and the January 9th patch. Shortly after that, on January 19, Symantec released an article addressing the problems that their customers were facing noting that the issues have been resolved in the January 17th Microsoft Updates.
8. How do I handle the Firmware upgrades if my device is encrypted with BitLocker?
When you patch a device's firmware, ensure that you suspend BitLocker and then upgrade the firmware and resume BitLocker protection. Some customers may experience devices prompting for BitLocker key entry after updating the firmware, even if not usually required. If you are using BitLocker, we recommend testing this behavior, and then consider whether to suspend BitLocker during this process.
9. What Windows updates address this patch?
Keeping track of Windows updates is tough nowadays. Thankfully Microsoft has provided a blog post documenting the different patches for the various operating systems that address the Meltdown / Spectre vulnerabilities. Read it here.
10. How do we recommend handling the Meltdown and Spectre vulnerabilities?
- Patch management. Ensure that your antivirus software supports the patch. Check out this link for more information about other Antivirus vendors support statements.
- Deploy the latest windows update to your test group.
- Test extensively. Validate antivirus software is functioning correctly on all different operating system versions and with all of the different versions of your security software.
- After testing the Windows update, deploy the patches to the remained of your environment.
- Check with your hardware vendor for recommendations regarding firmware. Provided is a list of hardware vendors and their statements.
- Test the firmware updates on test devices. It is important to test each model and validate proper functionality.
- After successful testing, ensure that BitLocker is suspended (where applicable), and then roll out the firmware update in planned phases. Provide proper communications to users in preparation for the roll-out. Re-enable BitLocker after the firmware update is complete.
- Our previous article on Meltdown & Spectre.
Post co-authored by Adam Eaddy, Consulting Architect and Cris Weber, Lead Development architect.